Treat p=reject as a rollout, not a switch: observe, fix alignment, sample quarantine, sample reject, then enforce.
p=reject is the destination, not the starting point. Almost every domain we onboard starts at p=none — and the failure mode we see most is people skipping the intermediate steps and discovering, on a Monday morning, that their CRM has been silently dropped by Gmail for a week.
Here's the ramp we recommend, and the three concrete things to verify before each promotion. Five weeks. No surprises.
Week 1 — Observation at p=none
Publish a monitor-only policy and let receivers tell you who's actually sending mail.
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:r-…@dmarcify.dev; fo=1"That's it for the first week. Receivers will email reports daily; DMARCify parses them, groups by source IP, and resolves PTR/ASN/country so you can see "Google Workspace sent 18k, SendGrid sent 2k, an unknown box in NL sent 50."
- Reports arrived from Google, Microsoft, and at least one other receiver.
- The rua address in DNS matches the DMARCify address for the domain.
- The report stream contains real production volume, not just test messages.
Week 2 — Fix alignment for legitimate senders
Look at the "unknown" and "failing" buckets. For each one, decide: is this a sender we own (the CRM, the support tool, the marketing platform), or is it noise?
- Owned + failing: usually means the vendor hasn't been set up with a custom DKIM signing domain. Every reputable ESP supports this — it's a couple of CNAMEs.
- Owned + only-SPF-aligned: fine for now, but DKIM is the more durable signal. Ask the vendor for "DKIM signing with your own domain."
- Noise: mailing list forwarders, "fwd to my Gmail" personal forwards. DKIM-aligned, SPF-broken. Leave them alone — they'll align once you're on
p=rejectbecause forwarders don't strip DKIM signatures.
- Every owned sender shows at least 99% DKIM alignment for three consecutive days.
- Any SPF-only sender has a DKIM setup task assigned to the platform owner.
- Forwarder-shaped failures are classified separately from unknown unaligned traffic.
Week 3 — Quarantine, but only 10%
Promote carefully. pct=10 means receivers apply your policy to 10% of failing messages — a sample, not the whole stream.
_dmarc IN TXT "v=DMARC1; p=quarantine; pct=10; rua=mailto:r-…@dmarcify.dev; fo=1"- Legitimate quarantined volume is near zero.
- No support, billing, CRM, or transactional mail source newly appears in the failing bucket.
- A rollback DNS change is ready if a missed sender appears.
Week 4 — Quarantine 100%, then reject 10%
Bump pct=100 on quarantine, observe for three days, then flip to p=reject; pct=10.
_dmarc IN TXT "v=DMARC1; p=reject; pct=10; rua=mailto:r-…@dmarcify.dev; fo=1"Week 5 — Full enforcement
Remove the pct tag (which defaults to 100). You're done.
_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:r-…@dmarcify.dev; fo=1"From now on, the only thing to watch for is new senders showing up in the dashboard — someone connecting Marketo to your domain, a forgotten staging service waking up. DMARCify sends a weekly digest specifically for this.
The shortcut
If you'd rather not run this manually, the AI auto-policy feature on Pro does exactly this five-week ramp, watching your alignment numbers and only promoting when the dashboard is clean. You stay in control — every promotion shows a "promote / wait" proposal in the dashboard you can override.